Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

        Multiple SAML libraries may allow authentication bypass via
             incorrect XML canonicalization and DOM traversal
                             28 February 2018


        AusCERT Security Bulletin Summary

Product:           python-saml
                   Shibboleth openSAML
Publisher:         CERT/CC
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
                   Apple iOS
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0489 CVE-2017-11430 CVE-2017-11429
                   CVE-2017-11428 CVE-2017-11427 

Original Bulletin: 

Comment: This advisory affects multiple libraries implementing SAML, which
         will have different patch schedules.

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#475445

Multiple SAML libraries may allow authentication bypass via incorrect XML
canonicalization and DOM traversal

Original Release date: 27 Feb 2018 | Last revised: 27 Feb 2018


Multiple SAML libraries may incorrectly utilize the results of XML DOM
traversal and canonicalization APIs in such a way that an attacker may be able
to manipulate the SAML data without invalidating the cryptographic signature,
allowing the attack to potentially bypass authentication to SAML service


CWE-287: Improper Authentication

Security Assertion Markup Language (SAML) is an XML-based markup language for
security assertions regarding authentication and permissions, most commonly
used for single sign-on (SSO) services.

Some XML DOM traversal and canonicalization APIs may be inconsistent in
handling of comments within XML nodes. Incorrect use of these APIs by some SAML
libraries results in incorrect parsing of the inner text of XML nodes such that
any inner text after the comment is lost prior to cryptographically signing the
SAML message. Text after the comment therefore has no impact on the signature
on the SAML message.

A remote attacker can modify SAML content for a SAML service provider without
invalidating the cryptographic signature, which may allow attackers to bypass
primary authentication for the affected SAML service provider

The following CVEs are assigned:

CVE-2017-11427 - OneLogin's "python-saml"
CVE-2017-11428 - OneLogin's "ruby-saml"
CVE-2017-11429 - Clever's "saml2-js"
CVE-2017-11430 - "OmniAuth-SAML"
CVE-2018-0489 - Shibboleth openSAML C++

More information is available in the researcher's blog post. 


By modifying SAML content without invalidating the cryptographic signature, a
remote, unauthenticated attacker may be able to bypass primary authentication
for an affected SAML service provider.


Apply updates

Affected SAML service providers should update software to utilize the latest
releases of affected SAML libraries. Please see the vendor list below for more

Vendor Information (Learn More)

                 Vendor                     Status        Date     Date Updated
Clever, Inc.                             Affected     24 Jan 2018  26 Feb 2018
Duo Security                             Affected     -            22 Feb 2018
OmniAuth                                 Affected     24 Jan 2018  06 Feb 2018
OneLogin Inc                             Affected     24 Jan 2018  27 Feb 2018
Shibboleth Consortium                    Affected     24 Jan 2018  06 Feb 2018
AssureBridge                             Not Affected -            27 Feb 2018
Okta Inc.                                Not Affected 29 Jan 2018  27 Feb 2018
Box                                      Unknown      23 Feb 2018  23 Feb 2018
Cisco                                    Unknown      23 Feb 2018  23 Feb 2018
Danish e-Infrastructure Cooperation      Unknown      24 Jan 2018  24 Jan 2018
Entr'ouvert                              Unknown      24 Jan 2018  24 Jan 2018
GitHub                                   Unknown      24 Jan 2018  24 Jan 2018
Google                                   Unknown      23 Feb 2018  23 Feb 2018
Microsoft                                Unknown      23 Feb 2018  23 Feb 2018
Pivotal Software, Inc.                   Unknown      24 Jan 2018  24 Jan 2018

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

    Group     Score             Vector
Base          6.3   AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal      4.9   E:POC/RL:OF/RC:C
Environmental 4.9   CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND


  * https://duo.com/blog/
  * https://duo.com/labs/psa/duo-psa-2017-003
  * https://shibboleth.net/community/advisories/secadv_20180112.txt
  * https://cwe.mitre.org/data/definitions/287.html


Thanks to Kelby Ludwig of Duo Security for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  * CVE IDs: CVE-2017-11427 CVE-2017-11428 CVE-2017-11429 CVE-2017-11430
  * Date Public: 27 Feb 2018
  * Date First Published: 27 Feb 2018
  * Date Last Updated: 27 Feb 2018
  * Document Revision: 67

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967